Configure DB Connect v1 inputs for the Splunk Add-on for Microsoft SQL Server
To gather Trace log logs, audit logs, and data from Dynamic Management Views, the Splunk Add-on for Microsoft SQL Server leverages Splunk DB Connect. Follow the instructions that correspond to the version of DB Connect that you have installed. This topic presents the instructions for DB Connect Version 1.1.6, 1.1.7, or 1.2.X.
Note: If you are using DB Connect version 2.x, see "Configure DB Connect v2 inputs for the Splunk Add-on for Microsoft SQL Server."
Configure Dynamic Management View data collection
Configure data collection from your Microsoft SQL Server Dynamic Management Views using Splunk DB Connect.
1. Following the directions in the Splunk DB Connect documentation, create a database connection called sqlserver_default_connection
. All stanzas for Splunk DB Connect monitoring contain the name of this database connection. Create it before proceeding with any DB Connect input configurations for this add-on. If you use a database connection name other than sqlserver_default_connection
, replace all instances of the string sqlserver_default_connection
in %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf
with the name you select instead.
Note: Specific permissions are required.
- The user that you use to configure the connection must have SELECT permission on objects and VIEW SERVER STATE or VIEW DATABASE STATE permissions. See http://msdn.microsoft.com/en-us/library/ms188754.aspx for more information about the required permissions.
- If you want to create audits via DB Connect, ensure that the user has ALTER ANY DATABASE AUDIT permission and CONTROL SERVER, ALTER ANY DATABASE AUDIT permissions, or is the sysadmin account. For additional information, see http://msdn.microsoft.com/en-us/library/cc280424.aspx. If you want to create audits via DB Connect, uncheck the Read Only option and connect to the master database.
2. In %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf
replace "disabled = 1" with "disabled = 0" for all the monitoring tasks you wish to enable.
For more details about each Dynamic Management View event, refer to the "Data from Dynamic Management View" section of the source types reference page.
Configure trace and audit log collection
Trace logs and audit events are in binary format, so the add-on collects them via Splunk DB Connect. DB connect uses the SQL function fn_trace_gettable
to parse the trace log content and the SQL function sys.fn_get_audit_file
to parse the audit event content.
Configure the collection of these logs in your %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf
.
1. Change the path of the SQL Server trace log file position in stanza [dbmon-tail://sqlserver_default_connection/mssql_profilerlog]
.
2. Change the path of audit log file path in the stanza [dbmon-tail://sqlserver_default_connection/mssql_audit]
.
3. Restart your Splunk platform instance for the changes to take effect.
Adjust your auto KV extraction settings
Some source types, such as mssql:execution:dm_exec_query_stats
retrieve fields with multiple lines. To ensure that your fields show the full values that you expect, adjust your KV extraction settings.
- Open
%SPLUNK_HOME%\etc\system\local\limits.conf
. - Add or change this stanza:
[kv] maxchars = 20480
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!